This provides guidance on the reasonable steps entities are required to take under the Privacy Act to protect the personal information they hold from misuse, interference, loss, and from unauthorised access, modification or disclosure. It also includes guidance on the reasonable steps entities are required to take to destroy or de-identify personal information that they hold once it is no longer needed. This guide is intended for use by entities covered by the Privacy Act, including organisations, agencies, credit reporting bodies, credit providers and tax file number recipients.However, this guide may also be relevant to organisations not subject to the Privacy Act as a model for better personal information security practice.

The Privacy (Persons Reported as Missing) Rule 2014 is a legislative instrument made under subsection 16A(2) of the Privacy Act and applies for the purposes of the permitted general situation which relates to the collection, use or disclosure of personal information to locate a person who has been reported as missing.

These guidelines cover the development, registration and ongoing administration of Australian Privacy Principles codes and the Credit Reporting code. They should be used by entities that are considering developing a code, developing a code on their own initiative or following a request from the Information Commissioner, or are persons or bodies responsible for overseeing the ongoing administration of a code.

The Privacy Act gives the Information Commissioner the discretion to recognise external dispute resolution (EDR) schemes to handle privacy-related complaints. These guidelines outline the conditions that must be met by EDR schemes to be recognised under the Privacy Act.

These guidelines assist Australian Government agencies to use data matching as an administrative tool in a way that complies with the Australian Privacy Principles (APPs) and the Privacy Act 1988, and is consistent with good privacy practice.